Flash flaw puts most sites, users at risk, say researchers

Instead, Arkin added, Adobe has tried to get the word out to Web application designers and site administrators about the danger of allowing users to upload content. "Sites should not allow user uploads to a trusted domain," Arkin argued. "The real issue here is that developers should be cautious about using techniques that can be misused maliciously. In general, this is a general challenge in managing active content."

Bailey and Murray echoed that, but said most sites haven't taken that advice.

"Some of the big Web properties have figured this out," said Bailey. "In a lot of cases, they're hosting user-generated content on another domain, perhaps for performance reasons." Among those site and services that have locked down their servers, Foreground cited Microsoft's Windows Live Hotmail and Google's YouTube. "But very few system administrators are even aware of this," Bailey added.

Even some of Adobe's Web properties are vulnerable to such an attack. "How can Adobe expect others to protect themselves when they can't do it themselves?" asked Murray.

Google's Gmail is also at risk from malicious Flash attack -- Gmail lets users upload and download file attachments -- although Bailey said that exploiting Google's Web mail service would be "extremely tricky" with "lots of hoops to jump through."

Although Foreground has not detected any in-the-wild attacks using the technique, Murray said that there's evidence hackers are moving toward such tactics. "We're starting to see Flash used in these ways," he said, and cited a recent worm that leveraged a similar vulnerability in Adobe's software, which is pervasive on the Web and on users' machines. "The worst-case scenario is that someone would figure this out, and launch silent attacks against the entire Internet."

That fear was a major consideration in Foreground's decision to go public with its information, even though Adobe can't fix the problem with a global patch of some sort. "We went back and forth on this a whole lot," said Murray.

The only current defense users can employ against such attacks is to stop using Flash, or failing that, restrict its use to sites known to be safe with tools such as the NoScript add-on for Mozilla's Firefox, or ToggleFlash for Microsoft's Internet Explorer.

"The best mitigation is to not use Flash," argued Murray, "but we know that that's impossible for most users, since Flash is so widely used on the Web."

"Almost everyone using the Internet is vulnerable to a Web site that allows content to be updated inappropriately," said Murray. "That's not hyperbole, it's just fact. This has the potential to affect any social media site, any career site, any dating site, many retail sites and many cloud applications. That's why this attack is so serious. End users would never know they got exploited."

Adobe was not immediately available for comment.

Read more about security in Computerworld's Security Knowledge Center.